Mr Schrems’s legal battle over Safe Harbour was sparked by Mr Snowden’s revelations over the US National Security Agency’s Prism surveillance system which allowed spies to access enormous amounts of data from global tech companies.
The ECJ instructed the DPC to investigate the Schrems complaint and decide, after its investigation, whether the transatlantic transfer of Facebook’s European subscribers to the USA should be suspended on the ground that the country does not afford an adequate level of protection of personal data.
The European Commission separately demanded a review of Safe Harbour to ensure that USA authorities’ access to Europeans’ data would be proportionate and limited to what is absolutely necessary.
The Court of Justice reasoned that the Safe Harbor agreement violated citizens’ privacy rights, reports Fortune, because, the Court said, people have no control over how their information and personal data is being put to use.
Yves Bot, an advocate general at the court, had said the agreement should be ditched because “mass, indiscriminate surveillance” by the US suggests that, when Europeans’ data flows there, it isn’t sufficiently protected.
The ruling “pulled the rug under the feet of thousands of companies” that have been relying on safe harbor, said Monika Kuschewsky, special counsel at Covington & Burling LLP in Brussels.
Max Schrems, 28, an Austrian student, triggered the case with a complaint he filed in 2013 in Ireland.
U.S. businesses and authorities alike will be furious with the decision, lawyers will be rubbing their hands with glee and the European Commission will be shaking its head and wondering where it all went wrong.
Since 2000, the sharing of personal data between the European Union and USA was permitted under the Safe Harbor agreement.
The implications of the European Court of Justice (ECJ) ruling could be far-reaching, leading to more paperwork and driving up costs for firms transferring information from the EU to the US.
Schrems said he hoped the ruling will be a milestone for online privacy.
U.S. Commerce Secretary Penny Pritzker told U.S. News ahead of the ruling that “following the court decision, we will continue to work with our partners in Europe to protect privacy while providing certainty for businesses”. There are many US-based providers that are storing data on behalf of companies located in Europe. “In declaring the old “Safe Harbour” rules invalid, however, the significance of the judgment extends far beyond the case presently pending in Ireland”, said Dixon.
There was no immediate reaction to the judgment from Washington, but last month the United States said an opinion by the European Union court’s top legal counsel which reached similar conclusions was based on “inaccurate assertions”.